[wand3r]

Does anyone know how this can be enforced?

The ruling and situation aside, to what degree is it possible to enforce something like this and what are the penalties? Even in GDPR and other data protection cases, it seems super hard to enforce. Directives to keep or delete data basically require system level access, because the company can always CRUD their data whenever they want and whatever is in their best interest. Data can ask to be produced to a court periodically and audited which could maybe catch an individual case, I guess. There is basically no way to know without literally seizing the servers in an extreme case. Also, the consequences in most cases are a fine.

[mmooss]

This isn't the executive branch of the US government, which has Constitutional powers. It's a private company and the court can at least enforce massive penalties, presumptions against them at trial (causing them to lose), and contempt of court. Talk to a lawyer before you try something like it.

[imiric]

> the court can at least enforce massive penalties

A.k.a. the cost of doing business.

[mmooss]

Businesses care deeply about money. The bravado of many businesspeople these days, that they are immune to criticism, lawsuits, etc. is a bluff. It apparently works, because many people repeat it.

[imiric]

When fines are a small percentage of the company's revenue, they do nothing to stop them from breaking the law. So they are in fact just the cost of doing business.

E.g. Meta has been fined billions many times, yet they keep reoffending. It's basically become a revenue stream for governments.

[mmooss]

> Meta has been fined billions many times, yet they keep reoffending

They are a large company who do many things, some of which will violate the rules. Do they do it more, less, or the same as they would if there weren't fines?

[imiric]

That's a red herring question that's impossible to answer.

The point is not that Meta and other companies break laws. It's that they keep breaking the same ones related to privacy. They do this because their business model depends on exploiting their users' data. Privacy laws to them are a nuisance that directly impact their revenue, so if they calculate that the revenue from their activity is greater than the fines, then it's just the cost of doing business. If, OTOH, it turns out that the amount of resources they would need to expend on fines or to comply with the laws are greater than the possible revenue, i.e. the juice is not worth the squeeze, then they simply bail out and stop doing business in that jurisdiction. But so far, even billion-dollar fines are clearly lower than their revenues.

It's a simple numbers game, so I'm not sure what your argument is.